- freely available
- re-usable

*Energies*
**2014**,
*7*(5),
2780-2798;
doi:10.3390/en7052780

**Author Contributions:**Cristina Rottondi and Giacomo Verticale jointly designed the privacy preserving framework. Cristina Rottondi designed the associated protocol and the benchmark Integer Linear Program. The security assessment of the proposed infrastructure has been provided by Giacomo Verticale. Both the privacy-friendly protocol and the ILP model have been implemented and tested by Simone Fontana

## Abstract

**:**The diffusion of Electric Vehicles (EV) fostered by the evolution of the power system towards the new concept of Smart Grid introduces several technological challenges related to the synergy among electricity-propelled vehicle fleets and the energy grid ecosystem. EVs promise to reduce carbon emissions by exploiting Renewable Energy Sources (RESes) for battery recharge, and could potentially serve as storage bank to flatten the fluctuations of power generation caused by the intermittent nature of RESes by relying on a load aggregator, which intelligently schedules the battery charge/discharge of a fleet of vehicles according to the users' requests and grid's needs. However, the introduction of such vehicle-to-grid (V2G) infrastructure rises also privacy concerns: plugging the vehicles in the recharging infrastructures may expose private information regarding the user's locations and travelling habits. Therefore, this paper proposes a privacy-preserving V2G infrastructure which does not disclose to the aggregator the current battery charge level, the amount of refilled energy, nor the time periods in which the vehicles are actually plugged in. The communication protocol relies on the Shamir Secret Sharing threshold cryptosystem. We evaluate the security properties of our solution and compare its performance to the optimal scheduling achievable by means of an Integer Linear Program (ILP) aimed at maximizing the ratio of the amount of charged/discharged energy to/from the EV's batteries to the grid power availability/request. This way, we quantify the reduction in the effectiveness of the scheduling strategy due to the preservation of data privacy.

## 1. Introduction

The evolution of the electric power system toward the novel Smart Grid paradigm and the progressive concurrent electrification of transportation aimed at the reduction of carbon emissions rises various issues related to the interactions between the distribution network and the Electric Vehicles (EVs). Such category of vehicles includes battery/fuel cell-powered automobiles, as well as hybrid systems combining electricity generators and conventional gasoline engines [1,2]. Several investigations on the potential market penetration of EVs and on the impacts of their possible massive introduction have been carried out by the research community [3,4]: on one hand, the additional connected load capacity required to simultaneously recharge a huge number of EVs might significantly impact the energy consumption trend; on the other hand, the EVs' batteries represent a huge storage bank that can be exploited to flatten the typically unpredictable power generation patterns of Renewable Energy Sources (RESes) by accumulating energy in case of excessive power generation and transferring it back to the grid during peak-demand periods [5,6]. To enable such synergies between EVs and the Smart Grid, which are usually referred to as Vehicle-to-Grid (V2G) interactions, the introduction of an aggregator capable of coordinating the charging/discharging process for a huge fleet of vehicles has been proposed [7,8]: the role of such agent is to operate as middleman between the vehicle owner (who could not act as stakeholder on the electricity market due to the limited power capacity of a single vehicle) and the electrical utilities or system operators. Several business models for the aggregation entity have been studied, possibly taking into account the additional costs incurred by the EVs' owners due to the frequent battery charge/discharge and the introduction of financial incentives to encourage the owners to plug their vehicle when not in use [9,10]. However, V2G assumes that detailed information about the traveling habits of the vehicle owners are available at the aggregator, which can disclose sensitive data (e.g., presence in a certain location at a given time) and thus arises privacy concerns [11,12]: according to NIST [13], once a two-way communication between the EV and the charging station is established, there is currently no technical limitation to the amount and type of data that could be obtained from the EV's microcomputers which manages specific functions such as breaking, ignition systems, lighting controls, fuel delivery, on-board diagnostics, and so on. This could lead to potentially threatening consequences: for instance, burglars could track people's movements before attempting robberies, information about vehicle maintenance could be inferred and exploited for insurance and warranties, or companies could perform targeted marketing for car-related services.

The main contributions of our paper are:

the design of a privacy preserving online framework which allows a set of Aggregators to collaboratively coordinate the charging/discharging process of the vehicles' batteries without learning the time periods in which the EVs are actually plugged-in and the current charge level of the batteries, nor the amount of refilled energy: every data is split in w parts called shares by means of the Shamir Secret Sharing (SSS) threshold cryptosystem and each share is given to a different Aggregator. The protocol ensures that a collusion of less than t ≤ w Aggregators cannot reconstruct the data.

the definition of a set of security properties which capture the requirements of V2G interactions for battery recharge and the proof that such properties are satisfied by our proposed scheduling protocol.

the formulation of a benchmark offline scheduling problem, which assumes full knowledge of the future travels of the users and of the battery-related information before the beginning of the scheduling horizon.

the comparison of the performance of our privacy-friendly mechanism to the benchmark model. This way, we quantify the reduction in the effectiveness of the scheduling strategy due to incorporating data privacy preservation in the scheduling mechanism.

The benefits introduced by our privacy-friendly protocol are twofold: on one hand, it encourages the EV owners to take part in the scheduling optimization framework by protecting their personal data. Assuming an underlying business model which rewards the users that allow for the discharge of their EV's batteries, providing privacy in V2G interactions could therefore lead to significant cost savings for the individual users. On the other hand, the wider is the EV fleet participating to the protocol, the higher is the degree of flexibility experienced by the grid in the management of the power generation/consumption balancing, thus helping in a more effective compensation of the unpredictable power generation patterns of RESes.

The remainder of the paper is structured as follows: Section 2 provides an overview of the related literature, while some background notions about the SSS scheme are recalled in Section 3. The privacy-friendly scheduling infrastructure, the collaborative scheduling procedure and the associated communication protocol are discussed in Section 4. The security analysis of the proposed scheduling mechanism are presented in Section 5, while Section 6 introduces an Integer Linear Programming formulation for the optimal scheduling to be used as evaluation benchmark. The performance assessment of our proposed solution is discussed in Section 7. Final conclusions are drawn in the last Section.

## 2. Related Work

The design of EVs and the characterization of their interactions with the power grid has been widely investigated in the last decade: for a comprehensive survey on the impact of the introduction of EVs in the Smart Grid ecosystem, the reader is referred to [14], while a thorough overview on the economical and technical models of aggregator agents for EV fleets can be found in [15].

A substantial body of work investigates optimal and heuristic policies for the battery recharge of a population of EVs based on various approaches, ranging from game theory [16,17] to queuing theory [18,19], possibly associated with reinforcement learning techniques [20] or stochastic/fuzzy logic-based predictors [21]. Game models are suitable for scenarios involving multiple selfish entities, each one operating with the aim of optimizing his own utility function, and allow for possible negotiations among them. Conversely, in our framework we assume that the vehicle owners fully collaborate with the aggregator in order to achieve a common optimization goal in terms of balancing of the grid's power availability, without assumption of any economical incentives. Queuing models are employed to capture constraints such as limits on the maximum number of EVs to be charged contemporaneously: our scenario assumes that the charging station is equipped with a sufficient number of plugs to serve the whole fleet without introducing additional waiting times.

However, none of the above papers addresses the privacy-related issues which are peculiar of the V2G scenario, which have been considered only by a few studies: Stegelmann and Kesdogann [22] enumerate the security requirements of a V2G infrastructure in presence of an untrusted aggregator, and formalize the model of an honest-but-curious attacker which tries to infer the traveling habits of the vehicle owners by linking the plugging/unplugging events at the charging stations in different locations. The same authors further refine such adversary model in [23] by integrating information regarding the charge level of the EV's batteries. We consider the same attacker model, and our solution ensures that the aggregators schedule the charging/discharging process without knowing the total amount of energy to be provided to the battery, nor the time periods in which the EV is actually plugged. The only information available at the aggregators is a priority tag which declares whether the EV must be necessarily charged or could also be discharged, according to the current battery charge level, which remains undisclosed.

Yang et al. [24] also assume a honest-but-curious aggregator model in a two-tiered structure including multiple local aggregators directly interacting with the vehicles and a central aggregator which interfaces the electricity market, and propose a rewarding scheme based on blind signature techniques, which ensures mutual authentication while preserving location and identity privacy, and allows for anonymous rewards. Our solution is based on Shamir Secret Sharing scheme, which is computationally less demanding, but requires the collaboration of multiple scheduling entities, thus introducing additional message exchanges among them (which would not occur in presence of a single aggregator).

Liu et al. propose in [25] a two-way anonymous payment system for EVs' battery charge/discharge providing traceability in case of car theft, while Nicanfar et al. [26] design a pseudonym-based authentication scheme, which ensures untraceability of the users' movements and assumes the presence of an external trusted entity in charge of recording the associations between pseudonyms and real identities to provide accountability for billing purposes. Though the security of the billing process is out of the scope of our contribution, similar protocols could be easily integrated in our infrastructure.

## 3. Background on Shamir Secret Sharing Scheme

Shamir Secret Sharing (SSS) scheme [27] is a cryptographic threshold scheme which allows multiple participants to reconstruct a secret by means of a collaborative procedure. To do so, the secret is split in w shares, which are given to the participants to the protocol: the secret can be recovered through cooperation of at least t ≤ w participants, where the threshold t is a system design parameter.

More in detail, the SSS scheme works as follows. Choose a prime number q and split the secret m ∈ Z_{q} in w shares (x_{s},y_{s}) (1 ≤ s ≤ w)by selecting t − 1 integer random numbers ρ_{1},ρ_{2}, ⋯, ρ_{t}_{−1} with uniform distribution in [0, q − 1] and calculating the s-th share as
${y}_{s}=m+{\rho}_{1}{x}_{s}+{\rho}_{2}{x}_{s}^{2}+\dots +{\rho}_{t-1}{x}_{s}^{t-1}$ mod q, where x_{s} ∈ Z_{q} is arbitrarily chosen. The secret can be reconstructed by interpolating at least t shares, using e.g., the Lagrange interpolation algorithm. The SSS scheme has homomorphic properties with respect to addition and multiplication, meaning that performing such operations on the shares and then recovering the result leads to the same result that would be obtained by computing the same operations on the secrets directly. The sum of two secrets can be independently calculated by a single participant by summing the corresponding shares, while multiplication must be performed interactively by means of a collaborative procedure, e.g., as the one described in [28]. Therefore, any function expressed in terms of additions and multiplications can be calculated directly on the shares. In particular, several collaborative methods to perform the comparison of two secrets have been proposed (see e.g., [29,30]). In this paper, we will adopt the comparison protocol presented in [30], which works as follows: each party holding the s-th shares (x_{s}, y_{s}),
$({x}_{s}^{\prime},{y}_{s}^{\prime})$ of the secrets m and m′ to be compared selects two big random numbers **r**_{s},
${r}_{s}^{\prime}$, which can multiplicatively hide m − m′, and a random bit b_{s} ∈ {0,1}. The collaborative protocol enables each party to obtain a share of the quantity
$c=(m-{m}^{\prime}){\prod}_{s=1}^{t}{\left(-1\right)}^{{b}_{s}}{r}_{s}-{\sum}_{s=1}^{t}{\left(-1\right)}^{1-{b}_{s}}{r}_{s}^{\prime}$. The result of the comparison can be computed by retrieving c, setting a bit e either to 0 in case c > 0 or to 1 otherwise (note that in a modulo n field negative numbers are represented by the upper half of the range [0, n − 1]), and calculating the result of the XOR operation ξ = e ⊕ b_{1} ⊕ ⋯ ⊕ b_{t}. ξ = 0 indicates that m > m′, while ξ = 1 indicates that m < m′. The reader is referred to [30] for additional details about the collaborative procedure and the proof of the correctness of the comparison protocol.

## 4. The Privacy-Friendly V2G Communication Framework

As depicted in Figure 1, our proposed architecture comprises a set of EVs, , a set of Aggregators, , which collaboratively schedule the charge/discharge of the EVs' batteries, and an Anonymizer which collects the messages sent by the EVs and replaces their IDs with pseudonyms before forwarding the messages to the Aggregators. The Anonymizer also receives the charge/discharge schedules from the Aggregators and communicates each of them to the addressed EV

We assume that:

- (1)
Each EV is equipped with hardware and software (e.g., as described in [31,32]) enabling Internet access at any time.

- (2)
A Configurator node is responsible for the setup of a suitable public-key infrastructure (e.g., as the one proposed in [33]).

- (3)
The parties agree on a hybrid encryption algorithm E(K

_{e}, ·) and a corresponding decryption algorithm D(Kd, ·). The hybrid scheme is assumed to be IND-CPA secure [34] (i.e., it ensures message indistinguishability under chosen plaintext attack) and uses state-of-the art secure public key cryptography and symmetric cryptography to transmit messages of any size.- (4)
Each Aggregator a ∈ has its own pair of public/private keys $({K}_{e}^{a},{K}_{d}^{a})$ and all the EVs know the public keys of the Aggregators.

- (5)
All the communication channels between the EVs, the Anonymizer, and the Aggregators are confidential and authenticated.

We also assume that time is divided in a set of epochs
of finite duration T (e.g., in the order of minutes) and that at the beginning of each epoch i ∈
the system operator communicates the maximum amount g_{i} of power it can provide to recharge the Vehicles or it would need to discharge in order to satisfy the demands generated by other categories of critical loads (e.g., non-deferrable appliances). Such power supply/request curve is supposed to be public and known to all the Aggregators.

The design goal is to schedule the charge/discharge times of the EVs' batteries through a collaborative procedure in order to satisfy the customers' recharge requests while minimizing the difference between the power supplied (requested) by the grid and the power charged (discharged) to (from) the batteries, without exceeding the grid overall power availability (request).

A pictorial view of the exchanged messages between Vehicles and Aggregators is presented in Figure 2, while a list of the main symbols is provided in Table 1.

Whenever a new epoch i starts, each Vehicle υ ∈
initializes a parameter Γ_{υi} either to 0, in case it is unable or unwilling to be charged/discharged (for instance because it is currently traveling or because its battery is already full) or to r_{υ}, which indicates the Vehicle's charge/discharge rate. Moreover, υ defines a threshold t_{υ} indicating the level of charge below which no discharge is accepted by the customer. In a worst-case scenario, t_{υ} equals the level of full battery charge, meaning that the customer does not allow for any discharge. Let l_{υi} be the battery charge level of υ at the beginning of epoch i: if l_{υi} < t_{υ}, υ sets a priority bit b_{υi} to 1, otherwise to 0. Further, υ generates an ephemeral keypair
$({K}_{e}^{\upsilon i},{K}_{d}^{\upsilon i})$, which is refreshed at every epoch. Then, υ divides Γ_{υi} in shares using a (w,t)-SSS scheme with parameters t = w = |
|, thus obtaining |
| shares S_{1} (Γ_{υ}_{i}), …, S_{|
|}(Γ_{υi}), and concatenates the priority bit b_{υi} and the ephemeral encryption key
${K}_{e}^{\upsilon i}$ to each share S_{a}(Γ_{υi}). For the sake of easiness, in this paper we set as SSS threshold t = w, meaning that all the Aggregators must collaborate to perform the charge/discharge scheduling procedure. However, to improve resiliency to faults and malfunctions, t could be lower than w. For a discussion on the correct dimensioning of t and w, the reader is referred to [35]. Finally, υ encrypts
${b}_{\upsilon i}\left|\right|{S}_{a}({\gamma}_{\upsilon i})\left|\right|{K}_{e}^{\upsilon i}$ using the public key
${K}_{e}^{a}$ for each Aggregator a ∈
and sends the pair ID_{υ},
${E}_{{K}_{e}^{a}}({b}_{\upsilon i}||{S}_{a}({\gamma}_{\upsilon i})||{K}_{e}^{\upsilon i})$ to the Anonymizer, where ID_{υ} is the identity of Vehicle υ.

Upon reception of the |
| messages sent by υ, the Anonymizer replaces ID_{υ} with a random pseudonym Π_{υi}, which is refreshed at every epoch, and forwards each pair Π_{υi},
${E}_{{K}_{e}^{a}}({b}_{\upsilon i}||{S}_{a}({\gamma}_{\upsilon i})||{K}_{e}^{\upsilon i})$ to the respective Aggregator a.

Let Γ_{Π}_{υi} be the scheduling output of the Vehicle associated to the pseudonym Π_{υi}, which can be set by the Aggregators either to 1 if the Vehicle is scheduled for recharge, to −1 if it is scheduled for discharge, or to 0 otherwise. Moreover, let P_{i} be a variable which records the amount of power required for the charges/discharges scheduled during the current epoch i: positive values of P_{i} indicate that the grid must provide power to charge the batteries, while negative values indicate that the energy collected from the batteries is injected in the grid.

Algorithm 1 The Privacy-Friendly Scheduling Algorithm | |

1: | On input of the epoch number i and of Π_{υi}, b_{υi}, S_{a}(Γ_{υi}),
${K}_{e}^{\upsilon i}\forall \upsilon \in \mathcal{V}$ |

2: | _{i} ← {Π_{υi} ∀υ ∈
},
_{h} ← {Π_{υi} ∈
_{i}: b_{υi} = 1},
_{l} ← {Π_{υi} ∈
_{i}: b_{υi} = 0}, Γ_{Π}_{υi} ← b_{υi} ∀Π_{υi} ∈
_{i} |

3: | S_{a}(P_{i}) ← S_{a}(P_{i}) + ∑_{ῡ:Πυī∈
h} (Γ_{υī}) |

4: | for all Π_{υi} ∈
_{l} do |

5: | if g_{i} > 0 then |

6: | collaboratively compare P_{i} + r_{υ} and g_{i} |

7: | if P_{i} + r_{υ} < g_{i} then |

8: | S_{a}(P_{i}) ← S_{a}(P_{i}) + S_{a} (Γ_{υi}), Γ_{Π}_{υi} ← 1 {The grid provides enough energy to recharge υ} |

9: | else |

10: | collaboratively compare P_{i} and g_{i} |

11: | if P_{i} > g_{i} then |

12: | S_{a}(P_{i}) ← S_{a}(P_{i}) − S_{a}(Γ_{υi}), ΓΠ_{υi} ← −1 {υ is discharged to reduce the amount of energy taken from the grid} |

13: | end if |

14: | end if |

15: | else |

16: | collaboratively compare P_{i} − r_{υ} and g_{i} |

17: | if P_{i} − r_{υ} > g_{i} then |

18: | S_{a}(P_{i}) ← S_{a}(P_{i}) − S_{a}(Γ_{υi}), Γ_{Π}_{υi} ← −1 {υ is discharged to inject energy from the battery to the grid} |

19: | else |

20: | collaboratively compare P_{i} and g_{i} |

21: | if P_{i} < g_{i} then |

22: | S_{a}(P_{i}) ← S_{a}(P_{i}) + S_{a}(Γ_{υi}), Γ_{Π}_{υi} ← 1 {υ is charged to reduce the excessive amount of energy provided by the batteries to the grid} |

23: | end if |

24: | end if |

25: | end if |

26: | end if |

Initially, a designated Aggregator ā sets P_{i} to 0, divides it in shares and distributes the shares S_{a}(P_{i}) to the Aggregators. Once all the pseudonymized messages from every EV have been received by the Aggregators, each Aggregator a decrypts the incoming messages using its private key
${K}_{d}^{a}$ and retrieves the triple b_{υi}, S_{a}(r_{υ}),
${K}_{e}^{\upsilon i}$ for each Vehicle υ, then it operates according to Algorithm 1 as follows:

- (1)
It groups the EVs'pseudonyms in two sets

_{h}and_{l}. The former set includes all the pseudonyms associated to Vehicles with b_{υi}= 1 which do not allow battery discharge, while all the other pseudonyms are grouped in_{l}. Note that the Vehicles whose pseudonyms are in_{h}are considered to have high charge priority, meaning that they will always be scheduled for recharge, regardless to the energy availability of the grid. Conversely, the Vehicles belonging to_{l}can be either charged/discharged or not, in order to meet the grid power offer/demand.- (2)
The recharge of each Vehicle with pseudonym Π

_{υi}∈_{h}is scheduled for the epoch i by setting Γ_{Π}_{υi}to 1 and the total power amount P_{i}is updated by adding the corresponding share S_{a}(Γ_{υi}). Note that the additions are performed directly on the shares, therefore the Aggregator operates without knowing the values Γ_{υi}. In case Γ_{υi}= 0, i.e., υ is not available for recharge/discharge, adding S_{a}(Γ_{υi}) to S_{a}(P_{i}) does not alter the current values of P_{i}.- (3)
For each Vehicle associated to a pseudonym Π

_{υi}∈_{l}, if g_{i}> 0 (i.e., the grid has a power surplus which can be used to recharge the batteries), the Aggregators collaboratively compare P_{i}+ Γ_{υi}and gi by means of the comparison protocol presented in [30]. Without loss of generality, we assume that the Aggregator ā is elected as responsible of defining the order of service of the vehicles in_{l}(which is randomly chosen at every epoch) and to communicate it to the other Aggregators. If the current power amount (including the recharge of υ) does not exceed g_{i}, υ is scheduled for recharge, otherwise a second collaborative comparison between P_{i}and g_{i}is performed: if P_{i}exceeds g_{i}(meaning that the current energy used to serve the Vehicles exceeds the grid's power availability), the discharge of υ is scheduled, otherwise no charge/discharge takes place. Analogously, for g_{i}< 0, P_{i}− Γ_{υi}and g_{i}are collaboratively compared and in case P_{i}− r_{υ}exceeds g_{i}, the discharge of the battery of υ is scheduled in order to reduce the amount of energy used for recharging, otherwise the Aggregators compare again P_{i}to g_{i}and if P_{i}< g_{i}(i.e., the total discharged energy exceeds the grid's needs), υ is recharged. Conversely, in case P_{i}> g_{i}, no action is scheduled.

Once the scheduling procedure is concluded, ā sends to the Anonymizer the scheduling output
${E}_{{K}_{e}^{a}}({\Gamma}_{{\prod}_{\upsilon i}})$ encrypted under the ephemeral encryption key of Vehicle υ and the corresponding pseudonym Π_{υi}. The Anonymizer retrieves the identity ID_{υ} of the Vehicle associated to Π_{υi}, forwards
${E}_{{K}_{e}^{a}}({\Gamma}_{{\prod}_{\upsilon i}})$ to υ, which obtains Γ_{Π}_{υi} by decrypting the message with its private ephemeral key
${K}_{e}^{\upsilon i}$ and schedules its battery charge/discharge accordingly.

## 5. Security Discussion

In this Section we discuss the adversarial model, state definitions of the privacy properties of our scheduling mechanism and provide proofs that such properties are guaranteed by our framework.

We assume that each Aggregator behave according to the honest-but-curious attacker model, meaning that it honestly executes the scheduling algorithm, but tries to obtain further information about the current battery levels of the EVs and the amount of refilled energy by performing arbitrary elaborations on the messages they receive, possibly colluding with other Aggregators (but not with the Anonymizer). The Anonymizer is also supposed to be honest-but-curious. Conversely, the EVs are assumed to by honest nodes.

We now define the property of **blindness**, which the proposed infrastructure satisfies.

#### Definition 1

The scheduling infrastructure provides **blindness** if during any set of epochs
a collusion of Aggregators of cardinality c <
cannot relate b_{υi} to the identity ID_{υ} of the Vehicle which generated it during any set of epochs
and obtains no additional information with respect to what is implied by the knowledge of (S_{a}(Γ_{υi}), b_{υi}) for each Aggregator a ∈
.

More formally, we define the
`Blind` experiment, involving a challenger
controlling the Anonymizer node and a probabilistic polynomial-time adversary
controlling the set of colluded Aggregators
: |
| <
:

- (1)
selects four sets of Vehicles ${\mathcal{V}}_{0}^{h},{\mathcal{V}}_{0}^{l},{\mathcal{V}}_{1}^{h},{\mathcal{V}}_{1}^{l}\subseteq \mathcal{V}:{b}_{\upsilon \text{i}}=1\forall i\in \mathcal{I}$, $\upsilon \in {\mathcal{V}}_{0}^{h}{\mathcal{V}}_{1}^{h}\wedge {b}_{\upsilon \text{i}}=0\forall i\in \mathcal{I}$, $\upsilon \in {\mathcal{V}}_{0}^{l},{\mathcal{V}}_{1}^{l}\wedge \left|{\mathcal{V}}_{0}^{h}\right|=\left|{\mathcal{V}}_{1}^{h}\right|\wedge \left|{\mathcal{V}}_{0}^{l}\right|=\left|{\mathcal{V}}_{1}^{l}\right|$, the identifiers ID

_{v}, the values Γ_{υi}and the random numbers ρ_{1}, ρ_{2}, …, ρ_{t−1}to be used to divide each Γ_{υi}in shares for each Vehicle in ${\mathcal{V}}_{0}^{h},{\mathcal{V}}_{0}^{l},{\mathcal{V}}_{1}^{h},{\mathcal{V}}_{1}^{l}$, and communicates them to .- (2)
selects a random bit b̄ = {0,1}, generates the pseudonyms Π

_{υi}and the shares S_{a}(Γ_{υi}) ∀_{i}∈ , a ∈ , $\upsilon \in \mathcal{V}\frac{h}{b},\mathcal{V}\frac{l}{b}$, and communicates them to .- (3)
outputs a bit b̄′.

The architecture provides |
| -**blindness** if:

The proof that our proposed infrastructure is **blind** descends from the property of perfect secrecy of the SSS scheme [36] and can be constructed by straightforwardly extending the one provided in ([37], Theorem 3) for two sets of shares to a scenario with |
|(|
_{l}| + |
_{h}|) sets of shares. The theorem proves that, given two secrets m_{0}, m_{1}, two sets of their shares
_{0},
_{1} of cardinality t − 1 and a random bit b̄ ∈ {0,1}, the probability that an adversary provided with m_{b̄},
_{0},
_{1} can guess the correct value of b̄ is 1/2.

Thus, it follows that:

The proof is completed by noting that the pseudonyms Π_{υi} are random numbers refreshed at every epoch, therefore the knowledge of Π_{υi} does not provide any advantage to
: in particular, from the point of view of the collusion
, if b_{υi} = 1 no Vehicle ῡ appears to be more likely to be the sender of b_{υi} than any other Vehicle
$\upsilon \in \mathcal{V}\frac{h}{b}$. Analogously, if b_{υi} = 0, all the Vehicles in
$\mathcal{V}\frac{l}{b}$ are equally likely to have generated b_{υi}. It follows that the collusion
obtains no information to reconstruct the succession of b_{ῡi} generated by a given Vehicle ῡ during the succession of epochs
.

#### Definition 2

The scheduling architecture is **oblivious** if the Anonymizer has no knowledge of the priority bit b_{υi}, the values Γ_{υi} and the scheduling outputs ΓΠ_{υi} in any epoch i.

To formalize this property, we define the
`Oblivious` experiment, which involves a challenger
controlling the set of Aggregators and an adversary
controlling the Anonymizer:

- (1)
selects two Vehicles υ

_{0}, υ_{1}∈ and communicates to the priority bits b_{υ}_{0}_{i},b_{υ}_{1}_{i}, the values Γ_{υ}_{0}_{i}, Γ_{υ}_{1}_{i}, and the random numbers ρ_{1}, ρ_{2}, …, ρ_{t}_{−1}to be used to divide Γ_{υ}_{0}_{i}, Γ_{υ}_{1}_{i}, in shares.- (2)
selects a random bit b̄ = {0,1}, generates ${E}_{{K}_{e}^{a}}({b}_{{\upsilon}_{b}^{-i}}||{S}_{a}({\gamma}_{{\upsilon}_{b}^{-i}})||{K}_{e}^{{\upsilon}_{b}^{-i}})\forall a\in \text{A}$ and the encrypted scheduling output ${E}_{{K}_{e}^{\underset{b}{\upsilon -i}}}({o}_{{\prod}_{\underset{b}{\upsilon -i}}})$, and communicates them to .

- (3)
outputs a bit b̄′.

The architecture provides **obliviousness** if:

Assuming that the cryptosystem E(K_{e}, ·) ensures message indistinguishability (see Section 4), the property can be proved by contradiction: let us suppose that the adversary
has more than negligible advantage in the Oblivious experiment. Since in Oblivious the adversary
arbitrarily chooses the plaintext data and all the parameters of the SSS scheme, Oblivious is constructed analogously to the IND-CPA experiment [34]. Therefore, if
has more than negligible advantage over randomness to guess b̄ in the Oblivious experiment, it also has a non-negligible advantage in the IND-CPA experiment, which violates the assumption of message indistinguishability under chosen plaintext.

Finally, it is worth discussing the correctness of our privacy-friendly scheduling protocol: at the end of the scheduling procedure, it results S_{a}(P_{i}) = ∑_{Π}_{υi}_{∈
}_{i} Γ_{Π}_{υi} · S_{a}(Γ_{υi}). Therefore, the overall energy usage reconstructed by means of the secret recovery procedure would be P_{i} = ∑_{Π}_{υi}_{∈
}_{i} Γ_{Π}_{υi} · Γ_{υi}. Since the value of Γ_{Π}_{υi} is set based on the result of the comparison protocol presented in [30], which has been therein proved to be correct, it follows that the output of the privacy-friendly scheduling algorithm is the same that would be obtained by operating directly on the plaintexts.

## 6. Benchmark ILP Model

We now introduce an Integer Linear Programming formulation which finds the optimal battery charge/discharge schedule. Such model should be considered as an ideal benchmark, since it relies on future knowledge about the periods in which EVs are plugged in, the current battery level and the amount of energy to be refilled, which would impose great limitations to its applicability to a real scenario (e.g., by requiring the users to declare in advance their traveling periods for the next day).

Sets

: set of recharge periods of the EVs (each vehicle υ ∈ has at least one recharge period within the optimization time span)

: set of discretized epochs within the optimization time span

Parameters

e

_{p}: maximum amount of power to be provided during the recharge period p (given by the difference between the battery maximum capacity and the initial battery charge level l_{υ}of the Vehicle υ having the p-th recharge period)a

_{p}: minimum amount of power to be provided during the recharge period p (a_{υ}= t_{υ}− l_{υ}if l_{υ}< t_{υ}, 0 otherwise)r

_{p}: battery charge rate (per epoch) of the vehicle υ having the p-th recharge periodk

_{pi}: it is 1 if epoch i belongs to the p-th recharge period, 0 otherwiseg

_{i}: maximum grid power supply (if g_{i}> 0) or demand (if g_{i}< 0) at epoch i${u}_{i}^{+}$ : boolean indicator, it is 1 if g

_{i}> 0, 0 otherwise${u}_{i}^{+}$ : boolean indicator, it is 1 if g

_{i}< 0, 0 otherwiseM: positive value, such as M ≫ max

_{i}_{∈}|g_{ }_{i}|

Variables

x

_{pi}: integer variable (−1 ≤ x_{pi}≤ 1), it is 1(− 1) if the battery of the vehicle associated to the p-th recharge period is recharged(discharged) at epoch i, 0 otherwiseδ: indicates the minimum ratio of the power utilized (provided) for battery recharge (discharge), to the power supplied/requested by the grid

Objective function

The objective function maximizes the minimum ratio of the power requested by the aggregator to recharge the vehicles' batteries (or obtained by the aggregator by discharging them) to the power requested/offered by the grid. Constraints 2 and 3 limit the minimum/maximum amount of energy to be charged during each recharge period, while Constraints 4 and 5 avoid recharging batteries with more energy than the grid can provide or injecting excessive energy into the grid by discharging batteries during the periods of shortages. Finally, Constraints 6 set δ to the minimum normalized amount of scheduled power absorption/supply

## 7. Performance Evaluation

We now evaluate our proposed scheduling mechanism in terms of computational complexity, message number and length, and compare its performance to the optimal results obtained by means of the ILP formulation presented in Section 6. Our implementation assumes a 256 bit-long modulo q for the SSS scheme and IDs/pseudonyms of 32 bits. The hybrid cryptosystem used for the share encryption is the RSA-KEM Key Transport Algorithm [38], which uses the RSA public key cryptosystem with modulo n of 1024 bits, the KDF2 key derivation function (based on SHA-1) and the AES-Wrap-128 key-wrapping scheme to communicate an ephemeral 128-bit-long key used to encrypt the samples V(i) by means of the standard AES scheme operating in Chipher Block Chaining mode (CBC). The scheduling output destined to the EVs is assumed to be encrypted with the standard RSA public key cryptosystem.

#### 7.1. Computational Complexity

We start evaluating the asymptotic number of incoming/outgoing messages at each node. As showed in Table 2, the number of messages exchanged by the Vehicles exhibits a linear dependence on the number of shares | |, while for the Anonymizer it depends linearly on both | | and the number of EVs | |. Finally, for the Aggregators the dependence is linear in | | and superlinear in (due to the collaborative comparison procedure discussed in [30]).

Table 3 reports the operations performed by each node for the scheduling of a single battery recharge. The computational cost of each operation is detailed in Table 4 based on [28,30]. The most demanding procedure is the share collaborative comparison performed by the Aggregators in multiple rounds depending on | |.

Finally, it is worth discussing the message length: each service request generated by an EV and forwarded by the Anonymizer consists on a 32 bit-long ID/pseudonym and a RSA-KEM encrypted message of 2624 bits, for a total length of 2656 bits. During the share comparison procedure, each share is in turn divided in |
| shares and redistributed among the Aggregators. In a worst case scenario in which all the EVs have low priority, each Aggregator sends/receives at most |
| · |
| · (|
| – 1) messages of 256 bits each (see [30] for further details) per comparison round (note that the number of rounds exhibits a logaritmic dependency on |
|). Ultimately, the scheduling output for each EV Γ_{υi} is encrypted and forwarded to the Anonymizer together with the respective pseudonym, thus requiring |
| messages of 32 + 1024 = 1056 bits each. In a scenario with |
| = 4 and |
| = 1000 the throughput per scheduling epoch experienced by each Aggregator would be approximately (worst case) 8.6 Mbit/epoch, of which 4.9 Mbit/epoch are due to the inter-Aggregators communications and 3.7 Mbit/epoch are due to the EVs-to-Aggregators communications). It follows that the inter-Aggregators communication burden, which would be avoided in case of a single scheduling entity directly accessing the raw data generated by the EVs, is an additional communication cost required by the privacy-preserving approach. Such throughput values are compatible with state-of-the art communication technologies for V2G infrastructures.

#### 7.2. Numerical Results

We compare the scheduling results obtained by our proposed protocol to the ILP benchmark model. We consider a scenario of a residential area of 1000 houses with peak power consumption of 3 kW [39], a windfarm (peak production of 8 MW [40]) and 1000 EVs (battery maximum capacity between 12.75 and 17 kWh, charging rate of 0.75 or 1 kW [14], minimum recharge threshold between 1.5 and 2 kWh). The behavior of each Vehicle υ is modeled by means of a discrete random walk between 0 and 1 with state transition probability of 0.25. For each epoch, state 0 is mapped to k_{υi} = 0, while state 1 sets k_{υi} = r_{υ}.

Note that, since the ILP model does not take into account the energy price, such price is assumed to be constant within the whole optimization time span and does not play any role in the scheduling strategy in both the optimal and the privacy-friendly approaches.

Results averaged over 365 days (each day is divided in 96 epochs of 15 min duration, see Figure 3 for an example of daily schedule) show that the running time of the privacy-friendly approach is significantly lower than the one of the ILP model (seconds vs. hours, see Table 5). The minimum power consumption-to-power availability ratio provided by our algorithm is on average lower than the optimal one, which is due to the fact that, in case g_{i} is negative, the privacy-friendly approach always schedules the recharge of high priority EVs, while the ILP model might postpone it according to the knowledge of their future traveing behavior. However, the degree of similarity (expressed in terms of Mean Square Error) between the curve of the grid power supply/request and the curve of the scheduled energy usage is not significantly worsened w.r.t. the optimal solution provided by the ILP formulation (only 0.2% increase, as reported in Table 5).

## 8. Conclusions

This paper proposes a privacy-preserving Vehicle-to-Grid communication infrastructure which schedules the battery charge/discharge times of electric vehicles without exposing the users' traveling habits, the current battery level nor the amount of refilled energy. Performance in terms of computational times and gap w.r.t. the optimal schedule obtained by means of an Integer Linear Program shows the viability of the proposed privacy-friendly approach, which provides results not significantly dissimilar w.r.t. the optimal ones.

## Acknowledgments

The authors thank Valeria Olivieri for her precious suggestions.

## Conflicts of Interest

The authors declare no conflicts of interest.

## References

- Chan, C.; Bouscayrol, A.; Chen, K. Electric, hybrid, and fuel-cell vehicles: Architectures and modeling. IEEE Trans. Veh. Technol.
**2010**, 59, 589–598. [Google Scholar] - Offer, G.; Howey, D.; Contestabile, M.; Clague, R.; Brandon, N. Comparative analysis of battery electric, hydrogen fuel cell and hybrid vehicles in a future sustainable road transport system. Energy Policy
**2010**, 38, 24–29. [Google Scholar] - Pieltain FernaÌᾼndez, L.; RomaÌᾼn, T.; Cossent, R.; Domingo, C.; FriÌᾼas, P. Assessment of the impact of plug-in electric vehicles on distribution networks. IEEE Trans. Power Syst.
**2011**, 26, 206–213. [Google Scholar] - Lopes, J.; Soares, F.; Almeida, P. Integration of electric vehicles in the electric power system. IEEE Proc.
**2011**, 99, 168–183. [Google Scholar] - Markel, T.; Kuss, M.; Denholm, P. Communication and control of electric drive vehicles supporting renewables. Proceedings of the IEEE Vehicle Power and Propulsion Conference (VPPC '09), Dearborn, MI, USA, 7–10 September 2009; pp. 27–34.
- Ekman, C.K. On the synergy between large electric vehicle fleet and high wind penetration—An analysis of the Danish case. Renew. Energy
**2011**, 36, 546–553. [Google Scholar] - Kempton, W.; Tomic, J.; Letendre, S.; Brooks, A.; Lipman, T. Vehicle-to-Grid Power: Battery, Hybrid, and Fuel Cell Vehicles as Resources for Distributed Electric Power in California; Working Paper Series ECD-ITS-Rr-1-03; Institute of Transportation Studies, University of California, Davis: Davis, CA, USA, 2001. [Google Scholar]
- Brooks, A. Integration of electric drive vehicles with the power grid-a new application for vehicle batteries. Proceedings of the Seventeenth Annual Battery Conference on Applications and Advances, Long Beach, CA, USA, 15–18 January 2002; pp. 239–254.
- Kempton, W.; Marra, F.; Andersen, P.; Garcia-Valle, R. Business models and control and management architectures for EV electrical grid integration. In Electric Vehicle Integration into Modern Power Networks; Garcia-Valle, R., PeÃğas Lopes, J.A., Eds.; Power Electronics and Power Systems; Springer New York: New York, NY, USA, 2013; pp. 87–105. [Google Scholar]
- Brooks, A. Vehicle-to-Grid Demonstration Project: Grid Regulation Ancillary Service with a Battery Electric Vehicle; Research Report to CARB; AC Propulsion: San Dimas, CA, USA, 2002. [Google Scholar]
- Hoh, B.; Gruteser, M.; Xiong, H.; Alrabady, A. Enhancing security and privacy in traffic-monitoring systems. IEEE Pervasive Comput.
**2006**, 5, 38–46. [Google Scholar] - Liao, L.; Patterson, D.J.; Fox, D.; Kautz, H. Learning and inferring transportation routines. Artif. Intell.
**2007**, 171, 311–331. [Google Scholar] - National Institute of Standards and Technology, The Smart Grid Interoperability Panel, Smart Grid Cybersecurity Committee. Guidelines for Smart Grid Cybersecurity: Volume 2, Privacy and the Smart Grid. Draft NISTIR 7628 Revision 1. 2013. Available online: http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-7628r1 (accessed on 1 January 2014). [Google Scholar]
- Liu, R.; Dow, L.; Liu, E. A survey of PEV impacts on electric utilities. Proceedings of the 2011 IEEE PES Innovative Smart Grid Technologies (ISGT), Hilton Anaheim, CA, USA, 17–19 January 2011; pp. 1–8.
- Bessa, R.J.; Matos, M.A. Economic and technical management of an aggregation agent for electric vehicles: A literature survey. Eur. Trans. Electr. Power
**2012**, 22, 334–350. [Google Scholar] - Han, Y.; Chen, Y.; Han, F.; Liu, K. An optimal dynamic pricing and schedule approach in V2G. Proceedings of the 2012 Asia-Pacific Signal Information Processing Association Annual Summit and Conference (APSIPA ASC), Hollywood, CA, USA, 3–6 December 2012; pp. 1–8.
- Zou, S.; Ma, Z.; Liu, X. Distributed efficient charging coordinations for electric vehicles under progressive second price auction mechanism. Proceedings of the 52nd IEEE Conference on Decision and Control (CDC), Firenze, Italy, 10–13 December 2013; pp. 550–555.
- Li, G.; Zhang, X.P. Modeling of plug-in hybrid electric vehicle charging demand in probabilistic power flow calculations. IEEE Trans. Smart Grid
**2012**, 3, 492–499. [Google Scholar] - Alizadeh, M.; Scaglione, A.; Davies, J.; Kurani, K. A scalable stochastic model for the electricity demand of electric and plug-in hybrid vehicles. IEEE Trans. Smart Grid
**2013**, PP, 1–13. [Google Scholar] - Di Giorgio, A.; Liberati, F.; Pietrabissa, A. On-board stochastic control of Electric Vehicle recharging. Proceedings of the 52nd IEEE Conference on Decision and Control (CDC), Firenze, Italy, 10–13 December 2013; pp. 5710–5715.
- Khayyam, H.; Abawajy, J.; Javadi, B.; Goscinski, A.; Stojcevski, A.; Bab-Hadiashar, A. Intelligent battery energy management and control for vehicle-to-grid via cloud computing network. Appl. Energy
**2013**, 111, 971–981. [Google Scholar] - Stegelmann, M.; Kesdogan, D. Design and evaluation of a privacy-preserving architecture for vehicle-to-grid interaction. In Public Key Infrastructures, Services and Applications; Petkova-Nikova, S., Pashalidis, A., Pernul, G., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7163, pp. 75–90. [Google Scholar]
- Stegelmann, M.; Kesdogan, D. Location privacy for vehicle-to-grid interaction through battery management. Proceedings of the Ninth International Conference on Information Technology: New Generations (ITNG), Las Vegas, NV, USA, 16–18 April 2012; pp. 373–378.
- Yang, Z.; Yu, S.; Lou, W.; Liu, C. P
^{2}: Privacy-preserving communication and precise reward architecture for V2G networks in smart grid. IEEE Trans. Smart Grid**2011**, 2, 697–706. [Google Scholar] - Liu, J.; Au, M.; Susilo, W.; Zhou, J. Enhancing location privacy for electric vehicles (at the right time). In Computer Security—ESORICS 2012; Foresti, S., Yung, M., Martinelli, F., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7459, pp. 397–414. [Google Scholar]
- Nicanfar, H.; Hosseininezhad, S.; TalebiFard, P.; Leung, V.C.M. Robust privacy-preserving authentication scheme for communication between electric vehicle as power energy storage and power stations. Proceedings of the IEEE INFOCOM, Turin, Italy, 14–19 April 2013; pp. 3429–3434.
- Shamir, A. How to share a secret. Commun. ACM
**1979**, 22, 612–613. [Google Scholar] - Bogdanov, D. Foundations and Properties of Shamir's Secret Sharing Scheme, Research Seminar in Cryptography; Institute of Computer Science, University of Tartu: Tartu, Estonia, 2007. [Google Scholar]
- Nishide, T.; Ohta, K. Multiparty computation for interval, equality, and comparison without bit-decomposition protocol. Proceedings of the 10th International Conference on Practice and Theory in Public-Key Cryptography (PKC '07), Beijing, China, 16–20 April 2007; Springer-Verlag: Berlin/Heidelberg, Germany, 2007; pp. 343–360. [Google Scholar]
- Kerschbaum, F.; Biswas, D.; de Hoogh, S. Performance comparison of secure comparison protocols. Proceedings of the 20th International Workshop on Database and Expert Systems Application (DEXA '09), Linz, Austria, 31 August– 4 September 2009; pp. 133–136.
- Bychkovsky, V.; Hull, B.; Miu, A.; Balakrishnan, H.; Madden, S. A measurement study of vehicular internet access using in situ Wi-Fi networks. Proceedings of the 12th Annual International Conference on Mobile Computing and Networking (MobiCom '06), Los Angeles, CA, USA, 24–29 September 2006; ACM: New York, NY, USA, 2006; pp. 50–61. [Google Scholar]
- Pinart, C.; Sanz, P.; Lequerica, I.; García, D.; Barona, I.; Sánchez-Aparisi, D. DRIVE: A reconfigurable testbed for advanced vehicular services and communications. Proceedings of the 4th International Conference on Testbeds and Research Infrastructures for the Development of Networks & Communities (TridentCom '08), Innsbruck, Austria, 18–20 March 2008; ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering): Brussels, Belgium, 2008; pp. 16:1–16:8. [Google Scholar]
- Bissmeyer, N.; Stubing, H.; Schoch, E.; Gotz, S.; Stotz, J.P.; Lonc, B. A generic public key infrastructure for securing Car-to-X communication. Proceedings of the 18th World Congress on Intelligent Transport Systems featuring ITS America's Annual Meeting and Exposition, Orlando, FL, USA, 16–20 October 2011.
- Katz, J.; Lindell, Y. Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series); Chapman & Hall/CRC: Boca Raton, FL, USA, 2007. [Google Scholar]
- Rottondi, C.; Verticale, G.; Capone, A. Privacy-preserving smart metering with multiple data Consumers. Comput. Netw
**2013**, 57, 1699–1713. [Google Scholar] - Stinson, D. Cryptography Theory and Practice, 2nd ed.; CRC Press: Boca Raton, FL, USA, 2005. [Google Scholar]
- Rottondi, C.; Mauri, G.; Verticale, G. A protocol for metering data pseudonymization in smart grids. Trans. Emerg. Telecommun. Technol.
**2013**. [Google Scholar] [CrossRef] - Randall, J.; Kaliski, B.; Brainard, J.; Turner, S. Use of the RSA-KEM Key Transport Algorithm in the Cryptographic Message Syntax (CMS), RFC 5990; RFC, Ed. ed; The Internet Engineering Task Force: Fremont, CA, USA, 2010. [Google Scholar]
- Barker, S.; Mishra, A.; Irwin, D.; Cecchet, E.; Shenoy, P.; Albrecht, J. Smart*: An Open Data Set and Tools for Enabling Research in Sustainable Homes. Proceedings of the 1st KDD Workshop on Data Mining Applications in Sustainability (SustKDD), Beijing, China, 12 August 2012.
- Hong, T.; Pinson, P.; Fan, S. Global energy forecasting competition 2012. Int. J. Forecast
**2014**, 30, 357–363. [Google Scholar]

**Figure 3.**Comparison of optimal vs. privacy-friendly scheduled battery charges/discharges. Positive values indicate that the grid provides power to recharge the EVs' batteries, while negative values indicate that power provided by the batteries is injected into the grid.

Notation | Description |
---|---|

set of Vehicles (υ is an element of the set) | |

set of Aggregators (a is an element of the set) | |

set of time epochs (i is an element of the set) | |

r_{υ} | battery charging rate of Vehicle υ |

b_{υi} | recharge priority indicator of Vehicle υ at epoch i |

l_{υi} | battery charge level of Vehicle υ at epoch i |

V_{υi} | requested battery charge/discharge indicator of Vehicle υ at epoch i |

t_{υ} | battery threshold level below which no discharge is accepted by Vehicle υ |

$({K}_{e}^{\upsilon i}$, ${K}_{d}^{\upsilon i})$ | ephemeral encryption/decryption key-pair generated by Vehicle υ at epoch i |

ID_{υ} | identifier of Vehicle υ |

Π_{υi} | pseudonym attributed to Vehicle υ at epoch i |

_{i} | set of the pseudonyms Π_{υi} at epoch i |

Γ_{υi} | scheduled battery charge/discharge indicator of Vehicle υ at epoch i |

**Table 2.**Asymptotic complexity in terms of incoming/outgoing messages per node for the scheduling of a single service request.

Node | Input | Output |
---|---|---|

Vehicle | O(1) | O(| |) |

Anonymizer | O(| | · | |) | O(| | · | |) |

Aggregator | O(|
| ^{2} log_{2} |
| · |
|) | O(|
| ^{2} log_{2} |
| · |
|) |

Vehicle | 1 random number generation modulo $n+\tilde{V}{C}_{s}(q)+\left|\text{A}\right|{C}_{e}^{\mathit{\text{RSA}}-\mathit{\text{KEM}}}(n,11)+{C}_{d}^{\mathit{\text{RSA}}}(n)$ |

Anonymizer | 1 random number generation modulo 2^{32} |

Aggregator | ${C}_{e}^{\mathit{\text{RSA}}-\mathit{\text{KEM}}}(n,11)+2{C}_{s}(q)+{c}_{a}(q)+{C}_{d}^{\mathit{\text{RSA}}}(n)$ (worst case) |

see Table 4 for the cost details.

C_{s}(x) | cost of the generation of | | shares modulo x | |
|(|
| − 1) additions modulo x | |(| | − 1) multiplications modulo x (| | − 1) random number generations modulo x |

C_{a}(x) | cost of a share addition modulo x | 1 addition modulo x |

C_{l}(x) | cost of a share Lagrange interpolation modulo x | O(|
|^{2}) multiplications modulo x |

C_{m}(x) | cost of a share collaborative multiplication modulo x | C_{s}(x) + (|
| − 1)C_{a}(x)+ 2 multiplications modulo x, performed in 2 rounds |

C_{c}(x) | cost of a collaborative comparison modulo x | 2 random number generation modulo x + 1 random number generation modulo 2 2 exponentiations modulo q + 2 multiplications modulo x 2C _{s}(x) + (|
| + 1)C_{a}(x) + O(|
|)C_{m}(x) + C_{l}(x), performed in
$\lceil {log}_{2}\left|\text{A}\right|\rceil $ rounds |

${C}_{e}^{\mathit{\text{RSA}}}(x)$ | cost of an RSA encryption modulo x | 1 exponentiation modulo x |

${C}_{d}^{\mathit{\text{RSA}}}(x)$ | cost of an RSA decryption modulo x | 1 exponentiation modulo x |

${C}_{e}^{\mathit{\text{RSA}}-\mathit{\text{KEM}}}(x,l)$ | cost of an RSA-KEM encryption with RSA modulo x and AES encryption of a message of l blocks | 1 random number generation modulo
$x+{C}_{e}^{\mathit{\text{RSA}}}(x)$ 1 KDF2 key derivation and AES-Wrap-128 key wrapping l AES encryptions |

${C}_{d}^{\mathit{\text{RSA}}-\mathit{\text{KEM}}}(x,l)$ | cost of an RSA-KEM decryption with RSA modulo x and AES decryption of a message of l blocks | ${C}_{d}^{\mathit{\text{RSA}}}(x)$ 1 KDF2 key derivation and AES-Wrap-128 key unwrapping l AES decryptions |

Privacy-friendly S. | ILP | ||||||||
---|---|---|---|---|---|---|---|---|---|

Average | Max | Min | Aver. MSE | Time | Average | Max | Min | Aver. MSE | Time |

−6.64 | 0.11 | −167.98 | 4.72 × 10^{12} | 0.6 s | 0.03 | 0.48 | −0.38 | 4.71 × 10^{12} | 4h |

© 2014 by the authors; licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/).